Health data comes within a person's most intimate sphere. It is therefore considered to be sensitive data due to the great impact it could have on a person's life if this data were freely available. Unauthorised disclosure may lead to various forms of discrimination and violation of fundamental rights. Rapid modern technological developments bring enormous benefits to society. However, with this digitisation, massive amounts of health data are generated. This makes our health data vulnerable, especially when transferred across borders. The new EU General Data Protection Regulation (GDPR) legal framework provides for rights for users of modern technologies (data subjects) and obligations for companies (controllers and processors) with regard to processing of personal data. Chapter V of the GDPR protects personal data that are transferred to third countries, outside the EU. The term 'transfer' itself however is not defined by the GDPR. This paper examines whether transfer within the meaning of the GDPR applies to health data processed by modern technologies and if the complexity of the GDPR legal framework as such sufficiently reflects reality and protects health data that moves across borders, in particular to jurisdictions outside the EU.